Human Resources company ComplyRight suffers data breach

23 July 2018

A security breach of ComplyRight’s website jeopardises sensitive consumer information including names, addresses, phone numbers and email addresses from tax forms submitted by the company’s thousands of clients on behalf of employees.

In late May 2018, Florida-based ComplyRight was alerted to a potential issue affecting the tax form preparation websites using its platform. In consultation with third-party forensic cybersecurity experts, ComplyRight took swift action to secure the data of its partners, business customers and the individuals potentially impacted.

The forensic investigators concluded that there was unauthorised access to the website resulting in compromise of personal information for some individual recipients of tax forms such as 1099 or W-2 forms. Although the forensic investigation determined the information was accessed and/or viewed, the investigators were unable to confirm whether the information was downloaded or otherwise acquired by the unauthorised user.

ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach.

Commenting on this, Ryan Wilk, vice president at NuData Security, a Mastercard company said:

“One of the many dangerous things about breaches is the amount of time it takes for companies and end users to know their data is out in the open. From the moment a breach happens, hackers have ample time to broker the stolen names, Social Security numbers, tax data and other identifying information on the dark web – leaving customers and employees open to the impacts of identity theft.

This breach underscores once again, for merchants and financial institutions, that mere reliance on passwords and usernames is insufficient to protect their organisation and their customers from online fraud. It’s past time for every organisation handling sensitive data to lock down their security, and to stop relying personally identifiable information to verify users – which is easily stolen and easily reused. 

Many companies are implementing multi-layered solutions with passive biometrics and behavioural analytics to leverage behaviour patterns and hundreds of other indicators to confirm legitimate users with true accuracy. This way companies don’t rely on the credentials and sensitive data exposed in breaches.”


The CIPP run a half day training course on the General Data Protection Regulation (GDPR) which is available face to face and online.

Our National Forum webinar took place on 19 July and includes a section on GDPR. This recording will be available to members shortly (free of charge) through News On Line.